CMMC Practice CA.L2-3.12.4

System Security Plan: Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. ***Note: According to the DoD Scoring system, failure to comply with this practice by having no System Security Plan is an automatic failure of all practices.***

Monarch ISC Guidance

At a minimum, utilize the NIST template for System Security Plans, which is included with the Security Catapult. The template will document what practices are met or not met and describe how the Met practices are implemented. As noted above, it should contain enough information to guide the design and implementation of a system. A well formulated SSP will be an invaluable asset to use during your certification assessment.

Discussion From Source

NIST SP 800-171 R2 System security plans relate security requirements to a set of security controls. System security plans also describe, at a high level, how the security controls meet those security requirements, but do not provide detailed, technical descriptions of the design or implementation of the controls. System security plans contain sufficient information to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk if the plan is implemented as intended. Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. NIST SP 800-18 provides guidance on developing security plans.

References